NASA’s internal computer network is full of holes and is extremely vulnerable to an external cyberattack, an audit by the agency's Office of the Inspector General has found. Even worse, it appears that several of the vulnerabilities were known about for months yet remained unpatched.

“Six computer servers associated with IT [information technology] assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable,” the audit report released Monday by Inspector General Paul K. Martin said.

"The attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations," the report continued. "We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers."

NASA networks long known to be weak
It is not unusual for previously unknown network security holes to be found in large organizations. In that light, Martin’s audit might have been seen as positive for revealing the vulnerabilities.

But it’s long been known that security on NASA networks is weak. Martin’s office released a previous audit report nearly a year ago, but nothing had been done to remedy the situation.

“In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network,” Monday's report reads. “However, even though the agency concurred with the recommendation it remained unimplemented as of February 2011.”

“Until NASA addresses these critical deficiencies and improves its IT security practices,” it goes on to say, “the agency is vulnerable to computer incidents that could have a severe to catastrophic effect on agency assets, operations, and personnel.”

A Government Accountability Office report in October 2009 was similarly critical of the agency, finding that “NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively.”

NASA’s servers have been broken into many times in the past. Martin’s new report mentions two serious breaches in 2009, during one of which intruders stole “22 gigabytes of export-restricted data from a Jet Propulsion Laboratory computer system.”

British hacker Gary McKinnon is awaiting extradition to the U.S. for allegedly hacking into NASA’s networks, as well as those of the Department of Defense, in 2001 and 2002.

Martin’s office recommends that NASA "expedite implementation of our May 2010 recommendation to establish an IT security oversight program for NASA’s agency-wide mission network."

Scanning for vulnerabilities
The inspector general's report was based on an audit of the agency-wide mission network, using a program called NESSUS that scans for vulnerabilities. Investigators found 54 computer servers on the network that were accessible via the Internet, and six of those servers had high-risk vulnerabilities to a cyberattack. Six other servers that were not directly accessible via the Internet also had high-risk vulnerabilities.

The report said one of the Internet-accessible servers could have fallen victim to an FTP bounce attack, "a highly effective form of cyberattack, widely known since 1998." If such an attack had been exploited, "a cybercriminal could have significantly disrupted NASA's spaceflight operations and stolen sensitive data," investigators said.

The report did not identify the locations of the computer servers, but noted that NASA managers have fixed all of the security holes that were brought to their attention. NASA's management team has promised to implement a strategy for an agency-wide network risk assessment by the end of August, and work up a comprehensive approach for identifying and addressing risks by the end of September.

"We consider the chief information officer's proposed actions to be responsive to our recommendations," the inspector general's office said. "Therefore, the recommendations are resolved and will be closed upon verification that management has completed the corrective actions."